Example for Configuring Packet Filtering
Networking Requirements
As shown in Figure 1, users connect to external network devices through GE0/0/2 on SwitchA.
Packets of different services are identified by 802.1p priorities on the LSW. When packets reach the external network through GE0/0/2, it is required that data service packets be filtered and voice and video services be ensured.
Configuration Roadmap
- Configure interfaces so that users can access the external network through SwitchA.
- Configure traffic classifiers to classify packets based on 802.1p priorities.
- Configure traffic behaviors so that the device permits or rejects packets matching rules.
- Configure a traffic policy, bind the traffic policy to the traffic classifiers and traffic behaviors, and apply the traffic policy to GE0/0/1 in the inbound direction to filter packets.
Procedure
- Create VLANs and configure interfaces.
# Create VLAN 10 on the Switch.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan 10 [SwitchA-vlan10] quit
# Configure GE0/0/1 and GE0/0/2 on SwitchA as trunk interfaces and add them to VLAN 10.
[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/2] quit
Configure the interface of the LSW connected to SwitchA as a trunk interface and add it to VLAN 10.
# Create VLANIF 10 and configure IP address 192.168.2.1/24 for it.
[SwitchA] interface vlanif 10 [SwitchA-Vlanif10] ip address 192.168.2.1 24 [SwitchA-Vlanif10] quit
Configure IP address 192.168.2.2/24 for the router interface connected to the Switch.
- Configure traffic classifiers.
# Create and configure traffic classifiers c1, c2, and c3 on SwitchA to classify packets based on 802.1p priorities.
[SwitchA] traffic classifier c1 [SwitchA-classifier-c1] if-match 8021p 2 [SwitchA-classifier-c1] quit [SwitchA] traffic classifier c2 [SwitchA-classifier-c2] if-match 8021p 5 [SwitchA-classifier-c2] quit [SwitchA] traffic classifier c3 [SwitchA-classifier-c3] if-match 8021p 6 [SwitchA-classifier-c3] quit
- Configure traffic behaviors.
# Configure a traffic behavior named b1 on SwitchA and define the deny action.
[SwitchA] traffic behavior b1 [SwitchA-behavior-b1] deny [SwitchA-behavior-b1] quit
# Configure traffic behaviors b2 and b3 on SwitchA and define the permit action.
[SwitchA] traffic behavior b2 [SwitchA-behavior-b2] permit [SwitchA-behavior-b2] quit [SwitchA] traffic behavior b3 [SwitchA-behavior-b3] permit [SwitchA-behavior-b3] quit
- Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy named p1 on SwitchA, bind the traffic behaviors and traffic classifiers to the traffic policy, and apply the traffic policy to GE0/0/1 in the inbound direction to filter packets.
[SwitchA] traffic policy p1 [SwitchA-trafficpolicy-p1] classifier c1 behavior b1 [SwitchA-trafficpolicy-p1] classifier c2 behavior b2 [SwitchA-trafficpolicy-p1] classifier c3 behavior b3 [SwitchA-trafficpolicy-p1] quit [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound [SwitchA-GigabitEthernet0/0/1] quit
- Verify the configuration.
# Check the traffic classifier configuration.
[SwitchA] display traffic classifier user-defined User Defined Classifier Information: Classifier: c2 Operator: OR Rule(s) : if-match 8021p 5 Classifier: c3 Operator: OR Rule(s) : if-match 8021p 6 Classifier: c1 Operator: OR Rule(s) : if-match 8021p 2 Total classifier number is 3# Check the traffic policy record.
[SwitchA] display traffic-policy applied-record p1 ------------------------------------------------- Policy Name: p1 Policy Index: 0 Classifier:c1 Behavior:b1 Classifier:c2 Behavior:b2 Classifier:c3 Behavior:b3 ------------------------------------------------- *interface GigabitEthernet0/0/1 traffic-policy p1 inbound slot 0 : success ------------------------------------------------- Policy total applied times: 1.
Configuration Files
SwitchA configuration file
# sysname SwitchA # vlan batch 10 # traffic classifier c1 operator or if-match 8021p 2 traffic classifier c2 operator or if-match 8021p 5 traffic classifier c3 operator or if-match 8021p 6 # traffic behavior b1 deny traffic behavior b2 permit traffic behavior b3 permit # traffic policy p1 match-order config classifier c1 behavior b1 classifier c2 behavior b2 classifier c3 behavior b3 # interface Vlanif10 ip address 192.168.2.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 traffic-policy p1 inbound # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # return